So, early morning, digging around ars, and I read this headline:
Why your password can’t have symbols—or be longer than 16 characters
Even a bank that limits passwords to eight characters defends itself.
(link)
Now, some of you know I'm a big fan of Passphrases instead of Passwords, initially I took this headline as "look at these silly little companies that nobody has ever heard of not 'getting' computers let's laugh at them!"
So I start reading the article, and it just doesn't look right, then I scan:
Charles Schwab - That's not a little credit union out in the midwest...
Microsoft - They're not a soap-maker in Oregon with an AS/400...
Evernote - That's not a social networking site for Icelandic figure skaters...
AT&T
Capitol One
So you're telling me the customer portals / etc. for all of these companies don't encourage secure passwords? What's the deal with that?
After reading and digesting it seems to come down to:
- Ease of Use (AT&T's decision to not permit symbols other than "-" and "_")
- Technical Limitations (Evernote's fear of leading spaces, Microsoft's "our stuff is old and cranky" defense)
- "We're looking into it" (Schwab's nonsense requirement of between 6 to 8 characters)
- Ineffectiveness
I think this quote from Microsoft really hit me:
Microsoft says that most attacks on accounts cannot be defended by password length, and the company adds that password cracking is hardly its biggest problem.
“Criminals attempt to victimize our customers in various ways and we’ve found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites—none of which are helped by very long passwords,” a Microsoft spokesperson told Ars.
So if Microsoft thinks that 16 characters should be the upper limit, why do I personally think that 10 is a reasonable minimum?
My argument for passphrases has always been:
- Higher Security (due to length and forced special characters)
- Ease of use (since a phrase is natural)
(for those that don't know, a passphrase would be either a short sentence or series of words, preferably nonsensical and/or unrelated. An example would be "It isn't a password!". XKCD's take on passwords.)
So if Microsoft, operators of Hotmail, aren't concerned by password cracking, why should I be concerned about the same for my company?
Yes, Living Social just had a major password breach (50M Salted Passwords, mmmmmm salted passwords) and it's now possible to crack any 8 character password with GPGPU in half a day. But in reality these attacks aren't targeted at SMB. Yes, there is going to always be the odd case here and there where someone will target those that "least expect it" and that is likely to be SMB/E, and yes, all data is significant, not matter how "unimportant" it seems to be to an outsider.
But is that where focus should be?
I don't think so.
Nope, I think it's more important to ensure that everyone knows how to spot phishing attacks. Teach them why they should keep information, no matter how seemingly unimportant, to themselves. Or, if all else fails, to just "If you see something, say something".
I still think that passphrases are better than passwords, and my users seem to agree. The group that have used them have reported they like it, and find it much easier to change passwords when required (rather than spending 10 minutes trying to change the password without just adding yet another number onto the end). I also find less Post-Its under keyboards with "Password is Fluffy1973" written on them (but they might just be hiding them better).
So what do you think?
What's your policy in the office?
How have you ensure compliance?